Legend:
D - deprecated feature; M - missing from doc; T - True by default (if changed); F - False by default (if changed); R - Removed;
Feature Description 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 1.22 1.23 1.24 1.25 1.26 1.27 1.28 1.29 1.30 1.31 1.32
AllowUnsafeMalformedObjectDeletion Enables the cluster operator to identify corrupt resource(s) using the list operation, and introduces an option ignoreStoreReadErrorWithClusterBreakingPotential that the operator can set to perform unsafe and force delete operation of such corrupt resource(s) using the Kubernetes API.
AnonymousAuthConfigurableEndpoints
AdmissionWebhookMatchConditions Enable match conditions on mutating & validating admission webhooks.
https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions		 T
AggregatedDiscoveryEndpoint Enable a single HTTP endpoint /discovery/'version' which supports native HTTP caching with ETags containing all APIResources known to the API server. T
AllowServiceLBStatusOnNonLB Enables .status.ingress.loadBalancer to be set on Services of types other than LoadBalancer. D
AnyVolumeDataSource Enable use of any custom resource as the DataSource of a PVC.
https://kubernetes.io/docs/concepts/storage/persistent-volumes/#volume-populators-and-data-sources		 T
APIListChunking Enable the API clients to retrieve (LIST or GET) resources from API server in chunks. T
APIPriorityAndFairness Enable managing request concurrency with prioritization and fairness at each server. (Renamed from RequestManagement) T R
APIResponseCompression Compress the API responses for LIST or GET requests. T
APISelfSubjectReview Activate the SelfSubjectReview API which allows users to see the requesting subject's authentication information. See API access to authentication information for a client for more details.
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#self-subject-review		 T R
APIServerIdentity Assign each API server an ID in a cluster, using a Lease.
https://kubernetes.io/docs/concepts/architecture/leases/		 T
APIServerTracing Add support for distributed tracing in the API server. See Traces for Kubernetes System Components for more details.
https://kubernetes.io/docs/concepts/cluster-administration/system-traces/		 T
APIServerWithRoute This feature gate enables an API server performance improvement: the API server can use separate goroutines (lightweight threads managed by the Go runtime) to serve watch requests.
AppArmor Enable use of AppArmor mandatory access control for Pods running on Linux nodes. See AppArmor Tutorial for more details.
https://kubernetes.io/docs/tutorials/security/apparmor/		 T
AppArmorFields Enable AppArmor related security context settings.
For more information about AppArmor and Kubernetes, read the AppArmor section within security features in the Linux kernel.
AuthorizeNodeWithSelectors Make the Node authorizer use fine-grained selector authorization. Requires AuthorizeWithSelectors to be enabled. T
AuthorizeWithSelectors Allows authorization to use field and label selectors. Enables fieldSelector and labelSelector fields in the SubjectAccessReview API, passes field and label selector information to authorization webhooks, enables fieldSelector and labelSelector functions in the authorizer CEL library, and enables checking fieldSelector and labelSelector fields in authorization webhook matchConditions. T
BtreeWatchCache When enabled, the API server will replace the legacy HashMap-based watch cache with a BTree-based implementation. This replacement may bring performance improvements. T
CBORServingAndStorage Enables CBOR as a supported encoding for requests and responses, and as the preferred storage encoding for custom resources.
CloudControllerManagerWebhook Enable webhooks in cloud controller manager.
CloudDualStackNodeIPs Enables dual-stack kubelet --node-ip with external cloud providers. See Configure IPv4/IPv6 dual-stack for more details.
https://kubernetes.io/docs/concepts/services-networking/dual-stack/#configure-ipv4-ipv6-dual-stack		 T R
ClusterTrustBundle Enable ClusterTrustBundle objects and kubelet integration.
ClusterTrustBundleProjection clusterTrustBundle projected volume sources.
https://kubernetes.io/docs/concepts/storage/projected-volumes/#clustertrustbundle
ComponentFlagz Enables the component's flagz endpoint. See zpages for more information.
ComponentSLIs Enable the /metrics/slis endpoint on Kubernetes components like kubelet, kube-scheduler, kube-proxy, kube-controller-manager, cloud-controller-manager allowing you to scrape health check metrics. T
ComponentStatusz Enables the component's statusz endpoint. See zpages for more information.
ConcurrentWatchObjectDecode Enable concurrent watch object decoding. This is to avoid starving the API server's watch cache when a conversion webhook is installed.
ConsistentHTTPGetHandlers Normalize HTTP get URL and Header passing for lifecycle handlers with probers. T R
ConsistentListFromCache Allow the API server to serve consistent lists from cache. T
ContainerCheckpoint Enables the kubelet checkpoint API. See Kubelet Checkpoint API for more details.
https://kubernetes.io/docs/reference/node/kubelet-checkpoint-api/		 T
ContextualLogging When you enable this feature gate, Kubernetes components that support contextual logging add extra detail to log output. T
CoordinatedLeaderElection Enables the behaviors supporting the LeaseCandidate API, and also enables coordinated leader election for the Kubernetes control plane, deterministically.
CPUManager Enable container level CPU affinity support, see CPU Management Policies.
https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/		 T
CPUManagerPolicyAlphaOptions This allows fine-tuning of CPUManager policies, experimental, Alpha-quality options This feature gate guards a group of CPUManager options whose quality level is alpha. This feature gate will never graduate to beta or stable.
CPUManagerPolicyBetaOptions This allows fine-tuning of CPUManager policies, experimental, Beta-quality options This feature gate guards a group of CPUManager options whose quality level is beta. This feature gate will never graduate to stable. T
CPUManagerPolicyOptions Allow fine-tuning of CPUManager policies. T
CRDValidationRatcheting Enable updates to custom resources to contain violations of their OpenAPI schema if the offending portions of the resource update did not change. See Validation Ratcheting for more details.
https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation-ratcheting		 T
CronJobsScheduledAnnotation Set the scheduled job time as an annotation on Jobs that were created on behalf of a CronJob. T
CronJobTimeZone CronJobTimeZone: Allow the use of the timeZone optional field in CronJobs.
https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/		 T R
CrossNamespaceVolumeDataSource Enable the usage of cross namespace volume data source to allow you to specify a source namespace in the dataSourceRef field of a PersistentVolumeClaim.
CSIMigrationAzureFile Enables shims and translation logic to route volume operations from the Azure-File in-tree plugin to AzureFile CSI plugin. Supports falling back to in-tree AzureFile plugin for mount operations to nodes that have the feature disabled or that do not have AzureFile CSI plugin installed and configured. Does not support falling back for provision operations, for those the CSI plugin must be installed and configured. Requires CSIMigration feature flag enabled. F T R
CSIMigrationPortworx Enables shims and translation logic to route volume operations from the Portworx in-tree plugin to Portworx CSI plugin. Requires Portworx CSI driver to be installed and configured in the cluster. F T
CSIMigrationRBD Enables shims and translation logic to route volume operations from the RBD in-tree plugin to Ceph RBD CSI plugin. Requires CSIMigration and csiMigrationRBD feature flags enabled and Ceph CSI plugin installed and configured in the cluster. This flag has been deprecated in favor of the InTreePluginRBDUnregister feature flag which prevents the registration of in-tree RBD plugin. D
CSIMigrationvSphere Enables shims and translation logic to route volume operations from the vSphere in-tree plugin to vSphere CSI plugin. Supports falling back to in-tree vSphere plugin for mount operations to nodes that have the feature disabled or that do not have vSphere CSI plugin installed and configured. Does not support falling back for provision operations, for those the CSI plugin must be installed and configured. Requires CSIMigration feature flag enabled. F T R
CSINodeExpandSecret Enable passing secret authentication data to a CSI driver for use during a NodeExpandVolume CSI operation. T R
CSIVolumeHealth Enable support for CSI volume health monitoring on node.
CustomCPUCFSQuotaPeriod Enable nodes to change cpuCFSQuotaPeriod in kubelet config.
CustomResourceValidation Enable schema based validation on resources created from CustomResourceDefinition. R
CustomResourceValidationExpressions Enable expression language validation in CRD which will validate customer resource based on validation rules written in the x-kubernetes-validations extension. T R
CustomResourceFieldSelectors Enable selectableFields in the CustomResourceDefinition API to allow filtering of custom resource list, watch and deletecollection requests. T
DaemonSetUpdateSurge Enables the DaemonSet workloads to maintain availability during update per node. See Perform a Rolling Update on a DaemonSet. T R
DefaultHostNetworkHostPortsInPodTemplates Changes when the default value of PodSpec.containers[*].ports[*].hostPort is assigned. The default is to only set a default value in Pods. Enabling this means a default will be assigned even to embedded PodSpecs (e.g. in a Deployment), which is the historical default. D
DevicePluginCDIDevices Enable support to CDI device IDs in the Device Plugin API.
https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/		 T
DisableCloudProviders Disables any functionality in kube-apiserver, kube-controller-manager and kubelet related to the --cloud-provider component flag. T
DisableKubeletCloudCredentialProviders Disable the in-tree functionality in kubelet to authenticate to a cloud provider container registry for image pull credentials. T
DisableNodeKubeProxyVersion Disable setting the kubeProxyVersion field of the Node. FD D
DownwardAPIHugePages Enables usage of hugepages in downward API.
 T R
DynamicResourceAllocation Enables support for resources with custom parameters and a lifecycle that is independent of a Pod. F
EfficientWatchResumption Allows for storage-originated bookmark (progress notify) events to be delivered to the users. This is only applied to watch operations. T
ElasticIndexedJob Enables Indexed Jobs to be scaled up or down by mutating both spec.completions and spec.parallelism together such that spec.completions == spec.parallelism. See docs on elastic Indexed Jobs for more details.
https://kubernetes.io/docs/concepts/workloads/controllers/job/#elastic-indexed-jobs		 T
EventedPLEG Enable support for the kubelet to receive container life cycle events from the container runtime via an extension to CRI. (PLEG is an abbreviation for “Pod lifecycle event generator”). For this feature to be useful, you also need to enable support for container lifecycle events in each container runtime running in your cluster. If the container runtime does not announce support for container lifecycle events then the kubelet automatically switches to the legacy generic PLEG mechanism, even if you have this feature gate enabled.
ExecProbeTimeout Ensure kubelet respects exec probe timeouts. This feature gate exists in case any of your existing workloads depend on a now-corrected fault where Kubernetes ignored exec probe timeouts. See readiness probes.
https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes		 T
ExpandedDNSConfig Enable kubelet and kube-apiserver to allow more DNS search paths and longer list of DNS search paths. This feature requires container runtime support(Containerd: v1.5.6 or higher, CRI-O: v1.22 or higher). See Expanded DNS Configuration.
https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#expanded-dns-configuration		 T R
ExperimentalHostUserNamespaceDefaulting Enabling the defaulting user namespace to host. This is for containers that are using other host namespaces, host mounts, or containers that are privileged or using specific non-namespaced capabilities (e.g. MKNODE, SYS_MODULE etc.). This should only be enabled if user namespace remapping is enabled in the Docker daemon. F D
GracefulNodeShutdown Enables support for graceful shutdown in kubelet. During a system shutdown, kubelet will attempt to detect the shutdown event and gracefully terminate pods running on the node. See Graceful Node Shutdown for more details.
https://kubernetes.io/docs/concepts/architecture/nodes/#graceful-node-shutdown		 T
GracefulNodeShutdownBasedOnPodPriority Enables the kubelet to check Pod priorities when shutting down a node gracefully. T
GRPCContainerProbe Enables the gRPC probe method for {Liveness,Readiness,Startup}Probe. See Configure Liveness, Readiness and Startup Probes.
https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-grpc-liveness-probe		 T R
HonorPVReclaimPolicy Honor persistent volume reclaim policy when it is Delete irrespective of PV-PVC deletion ordering. For more details, check the PersistentVolume deletion protection finalizer documentation.
https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolume-deletion-protection-finalizer		 T
HPAContainerMetrics Enable the HorizontalPodAutoscaler to scale based on metrics from individual containers in target pods. T R
HPAScaleToZero Enables setting minReplicas to 0 for HorizontalPodAutoscaler resources when using custom or external metrics.
ImageMaximumGCAge Enables setting minReplicas to 0 for HorizontalPodAutoscaler resources when using custom or external metrics. T
ImageVolume Allow using the image volume source in a Pod. This volume source lets you mount a container image as a read-only volume.
InPlacePodVerticalScaling Enables in-place Pod vertical scaling.
InPlacePodVerticalScalingAllocatedStatus Enables the allocatedResources field in the container status. This feature requires the InPlacePodVerticalScaling gate be enabled as well.
InPlacePodVerticalScalingExclusiveCPUS Enable resource resizing for containers in Guaranteed pods with integer CPU requests. It applies only in nodes with InPlacePodVerticalScaling and CPUManager features enabled, and the CPUManager policy set to static.
InTreePluginAWSUnregister Stops registering the aws-ebs in-tree plugin in kubelet and volume controllers. R
InTreePluginAzureDiskUnregister Stops registering the azuredisk in-tree plugin in kubelet and volume controllers. R
InTreePluginAzureFileUnregister Stops registering the azurefile in-tree plugin in kubelet and volume controllers. R
InTreePluginGCEUnregister Stops registering the gce-pd in-tree plugin in kubelet and volume controllers. R
InTreePluginOpenStackUnregister Stops registering the OpenStack cinder in-tree plugin in kubelet and volume controllers. R
InTreePluginPortworxUnregister Stops registering the Portworx in-tree plugin in kubelet and volume controllers.
InTreePluginRBDUnregister Stops registering the RBD in-tree plugin in kubelet and volume controllers. D
InTreePluginvSphereUnregister Stops registering the vSphere in-tree plugin in kubelet and volume controllers. R
IPTablesOwnershipCleanup This causes kubelet to no longer create legacy iptables rules. T R
JobBackoffLimitPerIndex Allows specifying the maximal number of pod retries per index in Indexed jobs. T
JobMutableNodeSchedulingDirectives Allows updating node scheduling directives in the pod template of Job. T R
JobManagedBy Allows to delegate reconciliation of a Job object to an external controller. T
JobPodFailurePolicy Allow users to specify handling of pod failures based on container exit codes and pod conditions. T
JobPodReplacementPolicy Allows you to specify pod replacement for terminating pods in a Job T
JobSuccessPolicy Allow users to specify when a Job can be declared as succeeded based on the set of succeeded pods. T
JobReadyPods Enables tracking the number of Pods that have a Ready condition. The count of Ready pods is recorded in the status of a Job status. T R
JobTrackingWithFinalizers Enables tracking Job completions without relying on Pods remaining in the cluster indefinitely. The Job controller uses Pod finalizers and a field in the Job status to keep track of the finished Pods to count towards completion. F T R
KMSv1 Enables KMS v1 API for encryption at rest. See Using a KMS Provider for data encryption for more details. TD FD
KMSv2 Enables KMS v2 API for encryption at rest. See Using a KMS Provider for data encryption for more details. T R
KMSv2KDF Enables KMS v2 to generate single use data encryption keys. See Using a KMS Provider for data encryption for more details. If the KMSv2 feature gate is not enabled in your cluster, the value of the KMSv2KDF feature gate has no effect. F T R
KubeletCgroupDriverFromCRI Enable detection of the kubelet cgroup driver configuration option from the CRI. You can use this feature gate on nodes with a kubelet that supports the feature gate and where there is a CRI container runtime that supports the RuntimeConfig CRI call. If both CRI and kubelet support this feature, the kubelet ignores the cgroupDriver configuration setting (or deprecated --cgroup-driver command line argument). If you enable this feature gate and the container runtime doesn't support it, the kubelet falls back to using the driver configured using the cgroupDriver configuration setting. See Configuring a cgroup driver for more details. T
KubeletCrashLoopBackOffMax Enables support for configurable per-node backoff maximums for restarting containers in the CrashLoopBackOff state.
KubeletFineGrainedAuthz Enable fine-grained authorization for the kubelet's HTTP(s) API.
KubeletInUserNamespace Enables support for running kubelet in a user namespace. See Running Kubernetes Node Components as a Non-root User.
https://kubernetes.io/docs/tasks/administer-cluster/kubelet-in-userns/
KubeletPodResources Enable the kubelet's pod resources gRPC endpoint. See Support Device Monitoring for more details.
https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/606-compute-device-assignment/README.md		 T R
KubeletPodResourcesDynamicResources Extend the kubelet's pod resources gRPC endpoint to to include resources allocated in ResourceClaims via DynamicResourceAllocation API. See resource allocation reporting for more details. with informations about the allocatable resources, enabling clients to properly track the free compute resources on a node.
KubeletPodResourcesGet Enable the Get gRPC endpoint on kubelet's for Pod resources. This API augments the resource allocation reporting.
KubeletPodResourcesGetAllocatable Enable the kubelet's pod resources GetAllocatableResources functionality. This API augments the resource allocation reporting T R
KubeletSeparateDiskGC Enable kubelet to garbage collect container images and containers even when those are on a separate filesystem. T
KubeletTracing Add support for distributed tracing in the kubelet. When enabled, kubelet CRI interface and authenticated http servers are instrumented to generate OpenTelemetry trace spans. See Traces for Kubernetes System Components for more details.
https://kubernetes.io/docs/concepts/cluster-administration/system-traces/		 T
KubeProxyDrainingTerminatingNodes Implement connection draining for terminating nodes for externalTrafficPolicy: Cluster services. T
LegacyServiceAccountTokenCleanUp Enable cleaning up Secret-based service account tokens when they are not used in a specified time (default to be one year). T R
LegacyServiceAccountTokenNoAutoGeneration Stop auto-generation of Secret-based service account tokens. T R
LegacyServiceAccountTokenTracking Track usage of Secret-based service account tokens. T
LoadBalancerIPMode Allows setting ipMode for Services where type is set to LoadBalancer. See Specifying IPMode of load balancer status for more information.
https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-ip-mode		 T
LocalStorageCapacityIsolationFSQuotaMonitoring When LocalStorageCapacityIsolation is enabled for local ephemeral storage and the backing filesystem for emptyDir volumes supports project quotas and they are enabled, use project quotas to monitor emptyDir volume storage consumption rather than filesystem walk for better performance and accuracy. F
LogarithmicScaleDown Enable semi-random selection of pods to evict on controller scaledown based on logarithmic bucketing of pod timestamps. T
LoggingAlphaOptions Allow fine-tuing of experimental, alpha-quality logging options.
LoggingBetaOptions Allow fine-tuing of experimental, beta-quality logging options. T
MatchLabelKeysInPodAffinity Enable the matchLabelKeys and mismatchLabelKeys field for pod (anti)affinity. T
MatchLabelKeysInPodTopologySpread Enable the matchLabelKeys field for Pod topology spread constraints. T
MaxUnavailableStatefulSet Enables setting the maxUnavailable field for the rolling update strategy of a StatefulSet. The field specifies the maximum number of Pods that can be unavailable during the update.
MemoryManager Allows setting memory affinity for a container based on NUMA topology. T
MemoryQoS Enable memory protection and usage throttle on pod / container using cgroup v2 memory controller.
MinDomainsInPodTopologySpread Enable minDomains in Pod topology spread constraints.
https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/		 F T
MinimizeIPTablesRestore Enables new performance improvement logics in the kube-proxy iptables mode. T R
MultiCIDRRangeAllocator Enables the MultiCIDR range allocator. R
MultiCIDRServiceAllocator Track IP address allocations for Service cluster IPs using IPAddress objects.
MutatingAdmissionPolicy Enable MutatingAdmissionPolicy support for CEL mutations be used in admission control.
NewVolumeManagerReconstruction Enables improved discovery of mounted volumes during kubelet startup. Since this code has been significantly refactored, we allow to opt-out in case kubelet gets stuck at the startup or is not unmounting volumes from terminated Pods. Note that this refactoring was behind SELinuxMountReadWriteOncePod alpha feature gate in Kubernetes 1.25.
Before Kubernetes v1.25, the kubelet used different default behavior for discovering mounted volumes during the kubelet startup. If you disable this feature gate (it's enabled by default), you select the legacy discovery behavior.
In Kubernetes v1.25 and v1.26, this behavior toggle was part of the SELinuxMountReadWriteOncePod feature gate.		 F T
NFTablesProxyMode Allow running kube-proxy with in nftables mode.
https://kubernetes.io/docs/reference/networking/virtual-ips/#proxy-mode-nftables		 T
NodeInclusionPolicyInPodTopologySpread Enable using nodeAffinityPolicy and nodeTaintsPolicy in Pod topology spread constraints when calculating pod topology spread skew. T
NodeLogQuery Enables querying logs of node services using the /logs endpoint.
NodeOutOfServiceVolumeDetach When a Node is marked out-of-service using the node.kubernetes.io/out-of-service taint, Pods on the node will be forcefully deleted if they can not tolerate this taint, and the volume detach operations for Pods terminating on the node will happen immediately. The deleted Pods can recover quickly on different nodes. T
NodeSwap Enable the kubelet to allocate swap memory for Kubernetes workloads on a node. Must be used with KubeletConfiguration.failSwapOn set to false. For more details, please see swap memory
https://kubernetes.io/docs/concepts/architecture/nodes/#swap-memory		 F T
OpenAPIEnums Enables populating "enum" fields of OpenAPI schemas in the spec returned from the API server. T
OpenAPIV3 Enables the API server to publish OpenAPI v3. T R
PDBUnhealthyPodEvictionPolicy Enables the unhealthyPodEvictionPolicy field of a PodDisruptionBudget. This specifies when unhealthy pods should be considered for eviction. Please see Unhealthy Pod Eviction Policy for more details.
https://kubernetes.io/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy		 T
PersistentVolumeLastPhaseTransitionTime Adds a new field to PersistentVolume which holds a timestamp of when the volume last transitioned its phase.) T
PodAndContainerStatsFromCRI Configure the kubelet to gather container and pod stats from the CRI container runtime rather than gathering them from cAdvisor. As of 1.26, this also includes gathering metrics from CRI and emitting them over /metrics/cadvisor (rather than having cAdvisor emit them directly).
PodDeletionCost Enable the Pod Deletion Cost feature which allows users to influence ReplicaSet downscaling order.
https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/#pod-deletion-cost		 T
PodDisruptionConditions Enables support for appending a dedicated pod condition indicating that the pod is being deleted due to a disruption. T
PodHostIPs Enable the status.hostIPs field for pods and the downward API. The field lets you expose host IP addresses to workloads. T R
PodIndexLabel Enables the Job controller and StatefulSet controller to add the pod index as a label when creating new pods. See Job completion mode docs and StatefulSet pod index label docs for more details. T
PodLevelResources Enable Pod level resources: the ability to specify resource requests and limits at the Pod level, rather than only for specific containers.
PodLifecycleSleepAction Enables the sleep action in Container lifecycle hooks. T
PodLifecycleSleepActionAllowZero Enables setting zero value for the sleep action in container lifecycle hooks.
PodLogsQuerySplitStreams Enable fetching specific log streams (either stdout or stderr) from a container's log streams, using the Pod API.
PodReadyToStartContainersCondition Enable the kubelet to mark the PodReadyToStartContainers condition on pods.
This feature gate was previously known as PodHasNetworkCondition, and the associated condition was named PodHasNetwork.		 T
PodSchedulingReadiness Enable setting schedulingGates field to control a Pod's scheduling readiness.
https://kubernetes.io/docs/concepts/scheduling-eviction/pod-scheduling-readiness		 T
ProbeTerminationGracePeriod Enable setting probe-level terminationGracePeriodSeconds on pods. See the enhancement proposal for more details.
https://v1-28.docs.kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#probe-level-terminationgraceperiodseconds
https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2238-liveness-probe-grace-period		 F T R
PortForwardWebsockets Allow WebSocket streaming of the portforward sub-protocol (port-forward) from clients requesting version v2 (v2.portforward.k8s.io) of the sub-protocol. T
PreferAlignCpusByUncoreCache When PreferAlignCpusByUncoreCache is enabled while the CPU Manager Policy is set to static, containers within a Guaranteed pod will individually be aligned to an uncore cache group at a best-effort policy. This feature can optimize performance for certain cache-sensitive workloads by minimizing the cpu allocation across uncore caches.
ProcMountType Enables control over the type proc mounts for containers by setting the procMount field of a SecurityContext.
ProxyTerminatingEndpoints Enable the kube-proxy to handle terminating endpoints when ExternalTrafficPolicy=Local. T R
QOSReserved Allows resource reservations at the QoS level preventing pods at lower QoS levels from bursting into resources requested at higher QoS levels (memory only for now).
ReadWriteOncePod Enables the usage of ReadWriteOncePod PersistentVolume access mode. T R
RecoverVolumeExpansionFailure nables users to edit their PVCs to smaller sizes so as they can recover from previously issued volume expansion failures. See Recovering from Failure when Expanding Volumes for more details.
https://kubernetes.io/docs/concepts/storage/persistent-volumes/#recovering-from-failure-when-expanding-volumes
RecursiveReadOnlyMounts Enables support for recursive read-only mounts. For more details, see read-only mounts.
RelaxedDNSSearchValidation Relax the server side validation for the DNS search string (.spec.dnsConfig.searches) for containers. For example, with this gate enabled, it is okay to include the _ character in the DNS name search string.
RelaxedEnvironmentVariableValidation Allow almost all printable ASCII characters in environment variables. T
ReloadKubeletServerCertificateFile Enable the kubelet TLS server to update its certificate if the specified certificate file are changed.
This feature is useful when specifying tlsCertFile and tlsPrivateKeyFile in kubelet configuration. The feature gate has no effect for other cases such as using TLS boostrap.		 T
RemainingItemCount Allow the API servers to show a count of remaining items in the response to a chunking list request.
https://kubernetes.io/docs/reference/using-api/api-concepts/#retrieving-large-results-sets-in-chunks		 T
RemoveSelfLink Sets the .metadata.selfLink field to blank (empty string) for all objects and collections. This field has been deprecated since the Kubernetes v1.16 release. When this feature is enabled, the .metadata.selfLink field remains part of the Kubernetes API, but is always unset. T R
RetroactiveDefaultStorageClass Allow assigning StorageClass to unbound PVCs retroactively. T R
RemoteRequestHeaderUID Enable the API server to accept UIDs (user IDs) via request header authentication. This will also make the kube-apiserver's API aggregator add UIDs via standard headers when forwarding requests to the servers serving the aggregated API.
ResilientWatchCacheInitialization Enables resilient watchcache initialization to avoid controlplane overload. T
ResourceHealthStatus Enable the allocatedResourcesStatus field within the .status for a Pod. The field reports additional details for each container in the Pod, with the health information for each device assigned to the Pod. See Device plugin and unhealthy devices for more details.
RetryGenerateName Enables retrying of object creation when the API server is expected to generate a name.
When this feature is enabled, requests using generateName are retried automatically in case the control plane detects a name conflict with an existing object, up to a limit of 8 total attempts.		 T
RotateKubeletServerCertificate Enable the rotation of the server TLS certificate on the kubelet. See kubelet configuration for more details. T
RuntimeClassInImageCriApi Enables images to be pulled based on the [runtime class] (/docs/concepts/containers/runtime-class/) of the pods that reference them.
SchedulerAsyncPreemption Enable running some expensive operations within the scheduler, associated with preemption, asynchronously. Asynchronous processing of preemption improves overall Pod scheduling latency.
SchedulerQueueingHints Enables the scheduler's queueing hints enhancement, which benefits to reduce the useless requeueing. The scheduler retries scheduling pods if something changes in the cluster that could make the pod scheduled. Queueing hints are internal signals that allow the scheduler to filter the changes in the cluster that are relevant to the unscheduled pod, based on previous scheduling attempts.
https://github.com/kubernetes/enhancements/blob/master/keps/sig-scheduling/4247-queueinghint/README.md		 T F T
SeccompDefault Enables the use of RuntimeDefault as the default seccomp profile for all workloads. The seccomp profile is specified in the securityContext of a Pod and/or a Container. T R
SecurityContextDeny This gate signals that the SecurityContextDeny admission controller is deprecated. R
SELinuxChangePolicy Enables spec.securityContext.seLinuxChangePolicy field. This field can be used to opt-out from applying the SELinux label to the pod volumes using mount options. This is required when a single volume that supports mounting with SELinux mount option is shared between Pods that have different SELinux labels, such as a privileged and unprivileged Pods.
Enabling the SELinuxChangePolicy feature gate requires the feature gate SELinuxMountReadWriteOncePod to be enabled.
SELinuxMount Speeds up container startup by allowing kubelet to mount volumes for a Pod directly with the correct SELinux label instead of changing each file on the volumes recursively. It widens the performance improvements behind the SELinuxMountReadWriteOncePod feature gate by extending the implementation to all volumes.
Enabling the SELinuxMount feature gate requires the feature gates SELinuxMountReadWriteOncePod and SELinuxChangePolicy to be enabled.
SELinuxMountReadWriteOncePod Speeds up container startup by allowing kubelet to mount volumes for a Pod directly with the correct SELinux label instead of changing each file on the volumes recursively. The initial implementation focused on ReadWriteOncePod volumes. F T
SeparateCacheWatchRPC Allows the API server watch cache to create a watch on a dedicated RPC. This prevents watch cache from being starved by other watches. T
SeparateTaintEvictionController Enables running TaintEvictionController, that performs Taint-based Evictions, in a controller separated from NodeLifecycleController. When this feature is enabled, users can optionally disable Taint-based Eviction setting the --controllers=-taint-eviction-controller flag on the kube-controller-manager. T
ServerSideApply Enables the Sever Side Apply (SSA) feature on the API Server.
https://kubernetes.io/docs/reference/using-api/server-side-apply/		 T R
ServerSideFieldValidation Enables server-side field validation. This means the validation of resource schema is performed at the API server side rather than the client side (for example, the kubectl create or kubectl apply command line). T
ServiceAccountTokenJTI Controls whether JTIs (UUIDs) are embedded into generated service account tokens, and whether these JTIs are recorded into the Kubernetes audit log for future requests made by these tokens. T
ServiceAccountTokenNodeBinding Controls whether the apiserver allows binding service account tokens to Node objects. T
ServiceAccountTokenNodeBindingValidation Controls whether the apiserver will validate a Node reference in service account tokens. T
ServiceAccountTokenPodNodeInfo Controls whether the apiserver embeds the node name and uid for the associated node when issuing service account tokens bound to Pod objects. T
ServiceNodePortStaticSubrange Enables the use of different port allocation strategies for NodePort Services. For more details, see reserve NodePort ranges to avoid collisions.
https://kubernetes.io/docs/concepts/services-networking/service/#avoid-nodeport-collisions		 T R
ServiceTrafficDistribution Allows usage of the optional spec.trafficDistribution field in Services. The field offers a way to express preferences for how traffic is distributed to Service endpoints. T
SidecarContainers Allow setting the restartPolicy of an init container to Always so that the container becomes a sidecar container (restartable init containers). See Sidecar containers and restartPolicy for more details. T
SizeMemoryBackedVolumes Enable kubelets to determine the size limit for memory-backed volumes (mainly emptyDir volumes). T
SkipReadOnlyValidationGCE Skip validation for GCE, will enable in the next version. DF R
StableLoadBalancerNodeSet Enables less load balancer re-configurations by the service controller (KCCM) as an effect of changing node state. T R
StatefulSetAutoDeletePVC Allows the use of the optional .spec.persistentVolumeClaimRetentionPolicy field, providing control over the deletion of PVCs in a StatefulSet's lifecycle. See PersistentVolumeClaim retention for more details. F
StatefulSetStartOrdinal Allow configuration of the start ordinal in a StatefulSet. See Start ordinal for more details.
https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#start-ordinal		 T
StorageNamespaceIndex Enables a namespace indexer for namespace scoped resources in API server cache to accelerate list operations. T
StorageVersionAPI Enable the storage version API.
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#storageversion-v1alpha1-internal-apiserver-k8s-io
StorageVersionHash Allow API servers to expose the storage version hash in the discovery. T
StorageVersionMigrator Enables storage version migration. See Migrate Kubernetes Objects Using Storage Version Migration for more details.
StrictCostEnforcementForVAP Apply strict CEL cost validation for ValidatingAdmissionPolicies. F T
StrictCostEnforcementForWebhooks Apply strict CEL cost validation for matchConditions within admission webhooks. T
StructuredAuthenticationConfiguration Enable structured authentication configuration for the API server.
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server		 T
SupplementalGroupsPolicy Enables support for fine-grained SupplementalGroups control. For more details, see Configure fine-grained SupplementalGroups control for a Pod.
SystemdWatchdog Allow using systemd watchdog to monitor the health status of kubelet. See Kubelet Systemd Watchdog for more details. T
TopologyAwareHints Enables topology aware routing based on topology hints in EndpointSlices. See Topology Aware Hints for more details. F T
TopologyManager Enable a mechanism to coordinate fine-grained hardware resource assignments for different components in Kubernetes. See Control Topology Management Policies on a node.
https://kubernetes.io/docs/tasks/administer-cluster/topology-manager/		 T R
TopologyManagerPolicyAlphaOptions Allow fine-tuning of topology manager policies, experimental, Alpha-quality options. This feature gate guards a group of topology manager options whose quality level is alpha. This feature gate will never graduate to beta or stable.
TopologyManagerPolicyBetaOptions Allow fine-tuning of topology manager policies, experimental, Beta-quality options. This feature gate guards a group of topology manager options whose quality level is beta. This feature gate will never graduate to stable. F T
TopologyManagerPolicyOptions Allow fine-tuning of topology manager policies. T
TranslateStreamCloseWebsocketRequests Allow WebSocket streaming of the remote command sub-protocol (exec, cp, attach) from clients requesting version 5 (v5) of the sub-protocol. T
UnauthenticatedHTTP2DOSMitigation Enables HTTP/2 Denial of Service (DoS) mitigations for unauthenticated clients. Kubernetes v1.28.0 through v1.28.2 do not include this feature gate. F T
UnknownVersionInteroperabilityProxy Proxy resource requests to the correct peer kube-apiserver when multiple kube-apiservers exist at varied versions. See Mixed version proxy for more information.
https://kubernetes.io/docs/concepts/architecture/mixed-version-proxy/
UserNamespacesPodSecurityStandards Enable Pod Security Standards policies relaxation for pods that run with namespaces. You must set the value of this feature gate consistently across all nodes in your cluster, and you must also enable UserNamespacesSupport to use this feature.
UserNamespacesSupport Enable user namespace support for Pods. F
ValidatingAdmissionPolicy Enable ValidatingAdmissionPolicy support for CEL validations be used in Admission Control.
https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/		 F
VolumeAttributesClass Enable support for VolumeAttributesClasses. See Volume Attributes Classes for more information.
https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/		 F
VolumeCapacityPriority Enable support for prioritizing nodes in different topologies based on available PV capacity.
WatchBookmark Enable support for watch bookmark events. T
WatchCacheInitializationPostStartHook Enables post-start-hook for watchcache initialization to be part of readyz (with timeout). F
WatchFromStorageWithoutResourceVersion Enables watches without resourceVersion to be served from storage. F
WatchList Enable support for streaming initial state of objects in watch requests.
https://kubernetes.io/docs/reference/using-api/api-concepts/#streaming-lists		 T
WindowsHostNetwork Enables support for joining Windows containers to a hosts' network namespace. T
WatchListClient Enables support for joining Windows containers to a hosts' network namespace. F
WindowsCPUAndMemoryAffinity Add CPU and Memory Affinity support to Windows nodes with CPUManager, MemoryManager and topology manager.
WindowsGracefulNodeShutdown nables support for windows node graceful shutdown in kubelet. During a system shutdown, kubelet will attempt to detect the shutdown event and gracefully terminate pods running on the node. See Graceful Node Shutdown for more details.
WinDSR Allows kube-proxy to create DSR loadbalancers for Windows.
WinOverlay Allows kube-proxy to run in overlay mode for Windows. T
ZeroLimitedNominalConcurrencyShares Allow Priority & Fairness in the API server to use a zero value for the nominalConcurrencyShares field of the limited` section of a priority level.
https://kubernetes.io/docs/concepts/cluster-administration/flow-control/		 F R
#https://bootstrap-table.com